Refactor: Replace YamlHelper utility with YamlScalarAccessor trait

Migrated all security recipes from static YamlHelper utility methods to
the YamlScalarAccessor trait pattern. This improves code organization and
follows OpenRewrite best practices for LST manipulation.

Changes:
- Created YamlScalarAccessor trait with 6 default methods
- Migrated 7 recipes to implement the trait
- Deleted deprecated YamlHelper utility class
- All tests pass

Author: sjungling

MIGRATION_EXAMPLE_TemplateInjectionRecipe.java

@@ -0,0 +1,238 @@
+/*
+ * MIGRATION EXAMPLE: TemplateInjectionRecipe using YamlScalarAccessor trait
+ *
+ * This file demonstrates what TemplateInjectionRecipe would look like after
+ * migrating from YamlHelper utility class to YamlScalarAccessor trait.
+ *
+ * Key changes:
+ * 1. Add "implements YamlScalarAccessor" to visitor class
+ * 2. Replace "YamlHelper.getScalarValue(x)" with "getScalarValue(x)"
+ * 3. No import changes needed (trait is an interface)
+ *
+ * Lines changed: 4 (lines 125, 146, 164 in original)
+ * Import changes: 0
+ * Behavior changes: 0 (identical functionality)
+ */
+
+package org.openrewrite.github.security;
+
+import lombok.EqualsAndHashCode;
+import lombok.Value;
+import org.jspecify.annotations.Nullable;
+import org.openrewrite.*;
+import org.openrewrite.marker.SearchResult;
+import org.openrewrite.yaml.JsonPathMatcher;
+import org.openrewrite.yaml.YamlIsoVisitor;
+import org.openrewrite.yaml.tree.Yaml;
+import org.openrewrite.github.traits.YamlScalarAccessor;  // NEW IMPORT
+
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+@Value
+@EqualsAndHashCode(callSuper = false)
+public class TemplateInjectionRecipe extends Recipe {
+
+    // User-controllable contexts that can lead to injection vulnerabilities
+    private static final Set<String> DANGEROUS_CONTEXTS = new HashSet<>(Arrays.asList(
+            "github.event.pull_request.title",
+            "github.event.pull_request.body",
+            "github.event.pull_request.head.ref",
+            "github.event.pull_request.head.label",
+            "github.event.pull_request.head.repo.default_branch",
+            "github.event.pull_request.base.ref",
+            "github.event.issue.title",
+            "github.event.issue.body",
+            "github.event.comment.body",
+            "github.event.review.body",
+            "github.event.pages[0].page_name",
+            "github.event.commits[0].message",
+            "github.event.head_commit.message",
+            "github.event.commits[0].author.name",
+            "github.event.commits[0].author.email",
+            "github.head_ref"
+    ));
+
+    // Contexts that reference user-controllable step outputs
+    private static final Pattern STEPS_OUTPUT_PATTERN = Pattern.compile(
+            "steps\\.[^.]+\\.outputs\\.[^\\s}]+"
+    );
+
+    // Actions known to have code injection sinks
+    private static final Set<String> CODE_INJECTION_ACTIONS = new HashSet<>(Arrays.asList(
+            "actions/github-script",
+            "amadevus/pwsh-script",
+            "jannekem/run-python-script-action",
+            "cardinalby/js-eval-action"
+    ));
+
+    // Expression pattern to find GitHub Actions expressions
+    private static final Pattern EXPRESSION_PATTERN = Pattern.compile(
+            "\\$\\{\\{([^}]+)\\}\\}"
+    );
+
+    @Override
+    public String getDisplayName() {
+        return "Find template injection vulnerabilities";
+    }
+
+    @Override
+    public String getDescription() {
+        return "Find GitHub Actions workflows vulnerable to template injection attacks. These occur when user-controllable " +
+                "input (like pull request titles, issue bodies, or commit messages) is used directly in `run` commands or " +
+                "`script` inputs without proper escaping. Attackers can exploit this to execute arbitrary code. " +
+                "Based on [zizmor's `template-injection` audit](https://github.com/woodruffw/zizmor/blob/main/crates/zizmor/src/audit/template_injection.rs).";
+    }
+
+    @Override
+    public TreeVisitor<?, ExecutionContext> getVisitor() {
+        return Preconditions.check(
+                new FindSourceFiles(".github/workflows/*.yml"),
+                new TemplateInjectionVisitor()
+        );
+    }
+
+    // CHANGE: Added "implements YamlScalarAccessor"
+    private static class TemplateInjectionVisitor extends YamlIsoVisitor<ExecutionContext>
+            implements YamlScalarAccessor {
+
+        private static final JsonPathMatcher STEP_RUN_MATCHER = new JsonPathMatcher("$..steps[*].run");
+        private static final JsonPathMatcher STEP_USES_MATCHER = new JsonPathMatcher("$..steps[*].uses");
+        private static final JsonPathMatcher STEP_SCRIPT_MATCHER = new JsonPathMatcher("$..steps[*].with.script");
+
+        @Override
+        public Yaml.Mapping.Entry visitMappingEntry(Yaml.Mapping.Entry entry, ExecutionContext ctx) {
+            Yaml.Mapping.Entry mappingEntry = super.visitMappingEntry(entry, ctx);
+
+            // Check run commands for injection vulnerabilities
+            if (STEP_RUN_MATCHER.matches(getCursor())) {
+                return checkRunEntry(mappingEntry);
+            }
+
+            // Check uses entries for code injection actions
+            if (STEP_USES_MATCHER.matches(getCursor())) {
+                return checkUsesEntry(mappingEntry);
+            }
+
+            // Check script inputs for code injection actions
+            if (STEP_SCRIPT_MATCHER.matches(getCursor())) {
+                return checkScriptEntry(mappingEntry);
+            }
+
+            return mappingEntry;
+        }
+
+        private Yaml.Mapping.Entry checkRunEntry(Yaml.Mapping.Entry entry) {
+            // CHANGE: Removed "YamlHelper." prefix - now using trait method
+            String runCommand = getScalarValue(entry.getValue());
+            if (runCommand == null) {
+                return entry;
+            }
+
+            // Check for dangerous template expressions in run commands
+            String vulnerableContext = findVulnerableContext(runCommand);
+            if (vulnerableContext != null) {
+                String message;
+                if (vulnerableContext.startsWith("User-controlled input")) {
+                    message = "Potential template injection vulnerability. " + vulnerableContext + " used in run command without proper escaping.";
+                } else {
+                    message = "Potential template injection vulnerability. User-controlled input '" + vulnerableContext + "' used in run command without proper escaping.";
+                }
+                return SearchResult.found(entry, message);
+            }
+
+            return entry;
+        }
+
+        private Yaml.Mapping.Entry checkUsesEntry(Yaml.Mapping.Entry entry) {
+            // CHANGE: Removed "YamlHelper." prefix - now using trait method
+            String usesValue = getScalarValue(entry.getValue());
+            if (usesValue == null) {
+                return entry;
+            }
+
+            // Check if this is a code injection action
+            for (String dangerousAction : CODE_INJECTION_ACTIONS) {
+                if (usesValue.startsWith(dangerousAction)) {
+                    // Flag the use of a code injection action as potentially dangerous
+                    return SearchResult.found(entry,
+                            "Potential code injection in script input. User-controlled content in script execution context.");
+                }
+            }
+
+            return entry;
+        }
+
+        private Yaml.Mapping.Entry checkScriptEntry(Yaml.Mapping.Entry entry) {
+            // CHANGE: Removed "YamlHelper." prefix - now using trait method
+            String scriptContent = getScalarValue(entry.getValue());
+            if (scriptContent == null) {
+                return entry;
+            }
+
+            // Check for vulnerable contexts in the script content
+            String vulnerableContext = findVulnerableContext(scriptContent);
+            if (vulnerableContext != null) {
+                String message;
+                if (vulnerableContext.startsWith("User-controlled input")) {
+                    message = "Potential code injection in script. " + vulnerableContext + " used in script without proper escaping.";
+                } else {
+                    message = "Potential code injection in script. User-controlled input '" + vulnerableContext +
+                            "' used in script without proper escaping.";
+                }
+                return SearchResult.found(entry, message);
+            }
+
+            return entry;
+        }
+
+        private @Nullable String findVulnerableContext(String content) {
+            // Find all expressions in the content
+            Matcher matcher = EXPRESSION_PATTERN.matcher(content);
+
+            while (matcher.find()) {
+                String expression = matcher.group(1).trim();
+
+                // Check for complex expressions containing dangerous contexts first
+                if (isComplexExpression(expression) && containsDangerousContextInExpression(expression)) {
+                    return "User-controlled input in complex expression";
+                }
+
+                // Check for directly dangerous contexts
+                for (String dangerousContext : DANGEROUS_CONTEXTS) {
+                    if (expression.contains(dangerousContext)) {
+                        return dangerousContext;
+                    }
+                }
+
+                // Check for steps outputs (which may contain user input)
+                Matcher stepsMatcher = STEPS_OUTPUT_PATTERN.matcher(expression);
+                if (stepsMatcher.find()) {
+                    return stepsMatcher.group();
+                }
+            }
+
+            return null;
+        }
+
+        private boolean isComplexExpression(String expression) {
+            // Consider it complex if it contains function calls or multiple contexts
+            return expression.contains("(") && expression.contains(")");
+        }
+
+        private boolean containsDangerousContextInExpression(String expression) {
+            // Check for function calls or complex expressions that might contain dangerous contexts
+            for (String dangerousContext : DANGEROUS_CONTEXTS) {
+                if (expression.contains(dangerousContext)) {
+                    return true;
+                }
+            }
+
+            return false;
+        }
+
+    }
+}

src/main/java/org/openrewrite/github/security/ArtifactSecurityRecipe.java

@@ -19,6 +19,7 @@
 import lombok.Value;
 import org.jspecify.annotations.Nullable;
 import org.openrewrite.*;
+import org.openrewrite.github.traits.YamlScalarAccessor;
 import org.openrewrite.marker.SearchResult;
 import org.openrewrite.yaml.JsonPathMatcher;
 import org.openrewrite.yaml.YamlIsoVisitor;
@@ -78,7 +79,7 @@ public TreeVisitor<?, ExecutionContext> getVisitor() {
         );
     }
 
-    private static class ArtifactSecurityVisitor extends YamlIsoVisitor<ExecutionContext> {
+    private static class ArtifactSecurityVisitor extends YamlIsoVisitor<ExecutionContext> implements YamlScalarAccessor {
 
         private static final JsonPathMatcher STEP_USES_MATCHER = new JsonPathMatcher("$..steps[*].uses");
 
@@ -108,7 +109,7 @@ public Yaml.Mapping.Entry visitMappingEntry(Yaml.Mapping.Entry entry, ExecutionC
 
 
         private Yaml.Mapping.Entry checkUsesEntry(Yaml.Mapping.Entry entry) {
-            String usesValue = YamlHelper.getScalarValue(entry.getValue());
+            String usesValue = getScalarValue(entry.getValue());
             if (usesValue == null) {
                 return entry;
             }
@@ -133,7 +134,7 @@ private Yaml.Mapping.Entry checkCheckoutAction(Yaml.Mapping.Entry entry) {
                 return entry;
             }
 
-            String persistCredentials = YamlHelper.findNestedScalarValue(stepMapping, "with", "persist-credentials");
+            String persistCredentials = findNestedScalarValue(stepMapping, "with", "persist-credentials");
 
             if (persistCredentials == null) {
                 // No 'with' section or no persist-credentials means default behavior (persist-credentials: true)
@@ -159,7 +160,7 @@ private Yaml.Mapping.Entry checkUploadArtifactAction(Yaml.Mapping.Entry entry) {
                 return entry;
             }
 
-            String pathValue = YamlHelper.findNestedScalarValue(stepMapping, "with", "path");
+            String pathValue = findNestedScalarValue(stepMapping, "with", "path");
             if (pathValue != null && hasDangerousArtifactPaths(pathValue)) {
                 return SearchResult.found(entry,
                         "Uploading potentially sensitive paths that may contain credentials or configuration files.");

src/main/java/org/openrewrite/github/security/CachePoisoningRecipe.java

@@ -20,6 +20,7 @@
 import org.openrewrite.ExecutionContext;
 import org.openrewrite.Recipe;
 import org.openrewrite.TreeVisitor;
+import org.openrewrite.github.traits.YamlScalarAccessor;
 import org.openrewrite.marker.SearchResult;
 import org.openrewrite.yaml.YamlIsoVisitor;
 import org.openrewrite.yaml.tree.Yaml;
@@ -90,7 +91,7 @@ public TreeVisitor<?, ExecutionContext> getVisitor() {
         return new CachePoisoningVisitor();
     }
 
-    private static class CachePoisoningVisitor extends YamlIsoVisitor<ExecutionContext> {
+    private static class CachePoisoningVisitor extends YamlIsoVisitor<ExecutionContext> implements YamlScalarAccessor {
 
         private boolean isPublishingWorkflow = false;
         private boolean hasPublisherAction = false;
@@ -131,14 +132,14 @@ private void analyzeWorkflow(Yaml.Document document) {
         }
 
         private boolean isPublishingTrigger(Yaml.Block onValue) {
-            String scalarTrigger = YamlHelper.getScalarValue(onValue);
+            String scalarTrigger = getScalarValue(onValue);
             if (scalarTrigger != null) {
                 return "release".equals(scalarTrigger);
             }
             if (onValue instanceof Yaml.Sequence) {
                 Yaml.Sequence sequence = (Yaml.Sequence) onValue;
                 for (Yaml.Sequence.Entry seqEntry : sequence.getEntries()) {
-                    String trigger = YamlHelper.getScalarValue(seqEntry.getBlock());
+                    String trigger = getScalarValue(seqEntry.getBlock());
                     if ("release".equals(trigger)) {
                         return true;
                     }
@@ -184,7 +185,7 @@ private boolean hasReleaseBranches(Yaml.Block branchesValue) {
             if (branchesValue instanceof Yaml.Sequence) {
                 Yaml.Sequence sequence = (Yaml.Sequence) branchesValue;
                 for (Yaml.Sequence.Entry entry : sequence.getEntries()) {
-                    String branch = YamlHelper.getScalarValue(entry.getBlock());
+                    String branch = getScalarValue(entry.getBlock());
                     if (branch != null && RELEASE_BRANCH_PATTERN.matcher(branch).matches()) {
                         return true;
                     }
@@ -230,7 +231,7 @@ private boolean jobHasPublisherAction(Yaml.Mapping jobMapping) {
         private boolean stepUsesPublisherAction(Yaml.Mapping stepMapping) {
             for (Yaml.Mapping.Entry entry : stepMapping.getEntries()) {
                 if ("uses".equals(entry.getKey().getValue())) {
-                    String uses = YamlHelper.getScalarValue(entry.getValue());
+                    String uses = getScalarValue(entry.getValue());
                     if (uses != null) {
                         String actionName = extractActionName(uses);
                         return PUBLISHER_ACTIONS.contains(actionName);
@@ -262,7 +263,7 @@ private boolean isCacheAwareActionStep(Yaml.Mapping.Entry entry) {
                 return false;
             }
 
-            String uses = YamlHelper.getScalarValue(entry.getValue());
+            String uses = getScalarValue(entry.getValue());
             if (uses == null) {
                 return false;
             }
@@ -272,7 +273,7 @@ private boolean isCacheAwareActionStep(Yaml.Mapping.Entry entry) {
         }
 
         private String getActionName(Yaml.Mapping.Entry entry) {
-            String uses = YamlHelper.getScalarValue(entry.getValue());
+            String uses = getScalarValue(entry.getValue());
             return uses != null ? extractActionName(uses) : "unknown";
         }
 

src/main/java/org/openrewrite/github/security/ExcessivePermissionsRecipe.java

@@ -18,6 +18,7 @@
 import lombok.EqualsAndHashCode;
 import lombok.Value;
 import org.openrewrite.*;
+import org.openrewrite.github.traits.YamlScalarAccessor;
 import org.openrewrite.marker.SearchResult;
 import org.openrewrite.yaml.YamlIsoVisitor;
 import org.openrewrite.yaml.tree.Yaml;
@@ -58,7 +59,7 @@ public TreeVisitor<?, ExecutionContext> getVisitor() {
         );
     }
 
-    private static class ExcessivePermissionsVisitor extends YamlIsoVisitor<ExecutionContext> {
+    private static class ExcessivePermissionsVisitor extends YamlIsoVisitor<ExecutionContext> implements YamlScalarAccessor {
 
         @Override
         public Yaml.Mapping.Entry visitMappingEntry(Yaml.Mapping.Entry entry, ExecutionContext ctx) {
@@ -76,7 +77,7 @@ private boolean isPermissionsEntry(Yaml.Mapping.Entry entry) {
         }
 
         private Yaml.Mapping.Entry checkPermissions(Yaml.Mapping.Entry entry) {
-            String scalarPermissionValue = YamlHelper.getScalarValue(entry.getValue());
+            String scalarPermissionValue = getScalarValue(entry.getValue());
             if (scalarPermissionValue != null) {
                 return checkScalarPermissions(entry, scalarPermissionValue);
             }
@@ -107,7 +108,7 @@ private Yaml.Mapping.Entry checkMappingPermissions(Yaml.Mapping.Entry entry, Yam
 
             for (Yaml.Mapping.Entry permEntry : permissionsMapping.getEntries()) {
                 String permissionName = permEntry.getKey().getValue();
-                String permissionValue = YamlHelper.getScalarValue(permEntry.getValue());
+                String permissionValue = getScalarValue(permEntry.getValue());
                 if (permissionName != null && permissionValue != null) {
 
                     if ("write".equals(permissionValue)) {